cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: [DISCUSS] realhostip.com going away
Date Fri, 07 Mar 2014 01:21:18 GMT
So - I’ve browsed around a little after pondering the idea of doing crypto at the JS level,
but I can’t seem to make the argument and keep a straight face. I did find a JS library
[1] that would probably work, but still you’re left with 2 issues: 1) gotta get the library
securely to the browser (proper running SSL on the management server), and 2) You’d still
need a CA to sign the certs that run on the console proxy/SSVM [2]. 

So, nix that. It seems like the best way to do this is have security off by default, make
sure that’s very obvious to new users, and have a guide on how to get things production-ready.

Anyways - we almost have the patch ready, Amogh and I have gone back/forth on the review once
or twice, once we get I think just one more issue straightened out we’re good.

John
1: https://github.com/digitalbazaar/forge
2: Ya know…we could run a CA on the management server….</securityGeekHumor>

On Mar 6, 2014, at 4:53 PM, Kelven Yang <kelven.yang@citrix.com> wrote:

> 
> 
> On 3/2/14, 8:15 AM, "Paul Angus" <paul.angus@shapeblue.com> wrote:
> 
>> There are a few issues with the current console proxy setup, not least of
>> which is the need to have internet access to resolve realhostip.com in
>> the first place - so console proxy can't work if you don't have internet
>> access on your client.  I have configured alternative realhostip.com
>> setups for clients - and quite a lot of work goes into creating the
>> infrastructure (and certs) to support changing to a user managed
>> certificate.
>> 
>> Sooo, is it at all possible to secure communications with the console
>> proxy, without having to rely on ANY outside entity?
> 
> 
> console proxy client is based on AJAX channel provided by browser via
> Javascript engine, which leaves the security option to be pretty much on
> HTTPS, and it requires a server certificate to start with. So we don¹t
> have many choices here.
> 
> -Kelven
> 
> 
>> 
>> Testing alone is going to be a pain, if a full ssl cert setup is required
>> to use console proxy..
>> 
>> Regards
>> 
>> Paul Angus
>> Cloud Architect
>> S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
>> paul.angus@shapeblue.com
>> 
>> -----Original Message-----
>> From: Amogh Vasekar [mailto:amogh.vasekar@citrix.com]
>> Sent: 28 February 2014 23:05
>> To: dev@cloudstack.apache.org
>> Subject: Re: [DISCUSS] realhostip.com going away
>> 
>> 
>> 
>> On 2/28/14 2:03 PM, "Nux!" <nux@li.nux.ro> wrote:
>> 
>>> There's also the problem of the certificate. It comes bundled in ACS as
>>> far as I can tell.. When does it expire?
>> 
>> notBefore=Feb  3 03:30:40 2012 GMT
>> notAfter=Feb  7 05:11:23 2017 GMT
>> 
>> Need Enterprise Grade Support for Apache CloudStack?
>> Our CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers
>> the best 24/7 SLA for CloudStack Environments.
>> 
>> Apache CloudStack Bootcamp training courses
>> 
>> **NEW!** CloudStack 4.2.1
>> training<http://shapeblue.com/cloudstack-training/>
>> 18th-19th February 2014, Brazil.
>> Classroom<http://shapeblue.com/cloudstack-training/>
>> 17th-23rd March 2014, Region A. Instructor led,
>> On-line<http://shapeblue.com/cloudstack-training/>
>> 24th-28th March 2014, Region B. Instructor led,
>> On-line<http://shapeblue.com/cloudstack-training/>
>> 16th-20th June 2014, Region A. Instructor led,
>> On-line<http://shapeblue.com/cloudstack-training/>
>> 23rd-27th June 2014, Region B. Instructor led,
>> On-line<http://shapeblue.com/cloudstack-training/>
>> 
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views
>> or opinions expressed are solely those of the author and do not
>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you are not the intended recipient of this email, you must neither take
>> any action based upon its contents, nor copy or show it to anyone. Please
>> contact the sender if you believe you have received this email in error.
>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>> Services India LLP is a company incorporated in India and is operated
>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from Shape
>> Blue Ltd. ShapeBlue is a registered trademark.
> 

Stratosec - Compliance as a Service
o: 415.315.9385
@johnlkinsella


Mime
View raw message